Open herbdool opened 7 years ago
mikemccaffrey
commented
6 years ago Do the entity view functions not do an access check on whether the current user can view the entity?
Shouldn't different entity types be responsible for doing their own basic permissions and access checking?
jenlampton
commented
3 years ago Do the entity view functions not do an access check on whether the current user can view the entity?
They do when the entities are rendered (for example, using a view mode). But if we are displaying only a link to them, we'll need to check access when building that link. We should be able to use entity_access() which leverage's the code each individual entity to determine the access. I'll give it a shot!
When displaying a node reference field, the module should check that the user has permissions to view the referenced nodes. I noticed that in References, that check is being done here: node_reference_field_prepare_view()